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Description 

Security Ensuring by Program Analysis on Information Device and 

Transmission Path 

5 

Technical Field 

The present invention relates to a technique of ensuring security of 
an information device. 



10 Background Art 

In an open network such as the Internet, people can freely publicize 
information or provide programs. Accordingly, there exists a possibility 
of a malicious program being provided via an open network to, for example, 
a communication terminal, and which if executed will result in a security 

15 breach with information stored in the terminal being read and sent out from 
the terminal. There are known in the art means to protect communication 
terminals from such programs. For example, JP2001 -117769 discloses a 
program executing device wherein identification information (for example, 
an IP address or a URL) indicating reliable sources of programs in a 

20 memory in the program executing device; and if identification information 
indicating a source of a program received via a network is registered in the 
memory, execution of the program is permitted. 

However, in the art disclosed in JP2001 -117769, it is necessary to 
register all reliable program sending sources. Accordingly, each time a 

25 reliable program sending source is added or deleted, identification 
information stored in a memory must be updated. Moreover, since in a 
large network such as the Internet, there exists a large number of reliable 
program sending sources, it is substantially difficult to register in a memory 
of a terminal all identification information thereof. Further, even if it is 
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possible to register in a memory in a terminal all such identification 
information, in order to do so it is necessary to increase a size of a memory 
used, particularly of that in a small communication terminal such as mobile 
phone, which results in an increase in manufacturing costs of such a 
5 terminal. 

On the other hand, if security is enhanced by, for example, 
analyzing at a mobile terminal a content of a program received at the 
mobile terminal via a network to determine whether the program is a 
security threat, it is necessary for the mobile terminal to have a high level 

10 of computing power. Moreover, determination of security threats at the 
mobile terminal places a heavy load on a processing unit of the mobile 
terminal and takes a substantial amount of time to complete. Similarly, if 
at a relay device such as a server on a network, a content of a program 
received via a network is analyzed to thereby determine whether execution 

15 of the program in a communication terminal will constitute a security threat, 
it is necessary to provide the relay device with a high level of computing 
power. If the relay device is not provided with sufficient computing power, 
delays in communications are likely to occur. 

The present invention has been made in view of the problems 

20 discussed above, and provides a technique of determining, at a receiving 
device or a relay device, whether a program provided via a network is a 
security threat, by using a simple method which can be quickly carried out. 

Disclosure of Invention 
25 To solve the problems, the present invention provides registering 

means for registering information on whether a function of a received 
program is permitted to be used; receiving means for receiving a program 
and function information indicating a function used in the program; 
determining means for determining, by comparing function information 
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received by the receiving means and information registered by the 
registering means, whether a program received by the receiving means 
includes a function not permitted to be used; and outputting means for 
outputting a result determined by the determining means. 
5 The present invention also provides a program for causing a 

computer to function as a receiving device, and provides a 
computer-readable storage medium for recording the program. The 
program may be pre-installed in a memory of a computer, or it may be 
installed in a computer by way of communications conducted via a network, 

10 or be installed from the storage medium. 

According to the present invention, a receiving device determines 
whether a prohibited function is present in a received program by 
comparing function information of the program and information registered 
by the registering means, and outputs the determination result. 

15 The present invention also provides a receiving device comprising: 

registering means for registering information on whether a function of a 
received program is permitted to be used; receiving means for receiving a 
program and function information indicating a function used in the 
program; determining means for determining, by comparing function 

20 information received by the receiving means and information registered by 
the registering means, whether to execute a program received by the 
receiving means; and executing means for executing a program if the 
determining means determines to execute the program. The present 
invention also provides a program for causing a computer to function as a 

25 receiving device, and provides a computer-readable storage medium for 
recording the program. 

According to the present invention, a receiving device determines 
whether a received program should be executed by comparing function 
information of the program and information registered by the registering 
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meatis. 

The present invention also provides a receiving device comprising: 
registering means for registering means for registering information on 
whether a function of a received program is permitted to be used; first 
5 receiving means for receiving, before receiving a program, function 
information indicating a function used in the program; determining means 
for determining whether to receive a program, by comparing function 
information received by the first receiving means and information 
registered by the registering means; second receiving means for receiving a 

10 program if the determining means determines to receive the program; and 
executing means for executing a program received by the second receiving 
means. The present invention also provides a program for causing a 
computer to function as a receiving device, and a computer-readable 
storage medium for recording the program. 

15 According to the present invention, a receiving device determines 

whether a program should be received by comparing function information 
of the program and information registered by the registering means. 

The present invention provides a relay device comprising: 
registering means for registering information on whether a function of a 

20 program provided via a network is permitted to be used; receiving means 
for receiving a program, function information indicating a function used in 
the program, and destination information indicating a destination of the 
program; determining means for determining, by comparing function 
information received by the receiving means and information registered by 

25 the registering means, whether to relay a program received by the receiving 
means; and sending means for sending a program to a destination 
designated by destination information received by the receiving means, if 
the determining means determines to relay the program. 

The present invention also provides a program for causing a 
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computer to function as a relay device, and provides a computer-readable 
storage medium for recording the program. The program may be 
pre-installed in a memory of a computer, or it may be installed in a 
computer by way of communications conducted via a network, or be 
5 installed from the storage medium. 

According to the present invention, a relay device determines 
whether to relay a received program by comparing function information of 
the program and information registered by the registering means. 

The present invention also provides a relay device comprising: 

10 registering means for registering information on whether a function of a 
program provided via a network is permitted to be used; receiving means 
for receiving a program, function information indicating a function used in 
the program, and destination information indicating a destination of the 
program; determining means for determining, by comparing function 

15 information received by the receiving means and information registered by 
the registering means, whether a function not permitted to be used is used 
in a program received by the receiving means; and sending means for 
sending a determination result by the determining means and a program to 
a destination designated by destination information received by the 

20 receiving means, if the determining means determines to relay the program. 
The present invention also provides a program for causing a computer to 
function as a relay device, and provides a computer-readable storage 
medium for recording the program. 

According to the present invention, a relay device determines 

25 whether a prohibited function is present in a received program by 
comparing function information of the program and information registered 
by a registering means, and sends the determination result with the 
program. 

According to the present invention, it can be readily determined at a 
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receiving device or a relay device whether a program provided via a 
network is one that poses a security threat, by employing a simple method 
and within a short time. 

5 Brief Description of the Drawings 

Fig. 1 is a block diagram illustrating a configuration of a 
communication system according to the first embodiment. 

Fig. 2 is a diagram illustrating a data structure of inspection result 
data 202 according to the first embodiment. 
10 Fig. 3 is a block diagram illustrating a hardware configuration of 

mobile phone 50 according to the first embodiment. 

Fig. 4 is a diagram illustrating a data structure of security 
management table 507a according to the first embodiment. 

Fig. 5 is a sequence chart illustrating operations of each component 
15 forming conmiunication system 1 according to the first embodiment, which 
are performed until a program and inspection result data 202 thereof are 
downloaded to mobile phone 50. 

Fig. 6 is a diagram illustrating a screen displayed on a mobile phone 
50 when a security level is set according to the first embodiment. 
20 Fig. 7 is a flowchart illustrating operations for determining whether 

to execute a program received via a network, which operations are carried 
out in mobile phone 50 according to the first embodiment. 

Fig. 8 is a diagram illustrating a screen displayed on mobile phone 
50 when execution of a program is not permitted according to the first 
25 embodiment. 

Fig. 9 is a block diagram illustrating a hardware configuration of 
relay device 60 according to the second embodiment. 

Fig, 10 is a flowchart illustrating operations of determining whether 
to execute a program received via a network, which operations are carried 
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out in relay device 60 according to the second embodiment. 

Fig. 11 is a block diagram illustrating a configuration of 
communication system 2 according to the modification (1). 

Fig. 12 is a flowchart illustrating operations carried out in mobile 
5 phone according to the modification (2). 

Fig. 13 is a diagram illustrating a screen displayed on mobile phone 
50 according to the modification (2). 

Best Mode for Carrying Out the Invention 
10 Below, with reference to the drawings, embodiments of the present 

invention will be described. 

[A. First Embodiment] 

Fig. 1 is a block diagram illustrating a configuration of 

15 conamunication system according to the first embodiment. In Fig. 1, 
content provider 10 is a service provider that provides content to mobile 
phone 50. Content server 10a conducts packet communication with 
mobile phone 50 via Internet 30 and mobile packet communication 
network 40. Content server 10a stores programs for mobile phone 50 and 

20 inspection result data 202 which are obtained as a result of inspection of the 
program in inspection institution 20. The programs stored in content 
server 10a may be software containing image or audio data used when a 
program is executed. 

Inspection institution 20 is an institution which inspects a program 

25 provided to mobile phone 50 upon an inspection request from content 
provider 10, and program inspection device 20a stores security evaluation 
list 201 . In security evaluation list 201 there are listed functions such as a 
function call and a system call which may compromise security in mobile 
phone 50 if provided with a program via a network and the program is 
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executed. Security evaluation list 201 also lists resources accessible by 
mobile phone 50 which may compromise security in mobile phone 50 if 
accessed in accordance with a program provided via a network. 

Program inspection device 20a analyzes a program to be inspected 
5 with reference to security evaluation list 201, and extracts from the 
program functions listed in security evaluation list 201. Program 
inspection device 20a also identifies, among resources accessed when the 
program is executed, resources listed in security evaluation list 201. 
Subsequently, program ir^pection device 20a generates inspection result 

10 data 202 containing the names of the extracted functions and information 
on the identified resources (for example, URLs or paths indicating where 
the resources have been stored or identifiers assigned to the resources). 
Inspection result data 202 is returned to content provider 10 and stored 
along with the program in content server 10a. 

15 Program inspection device 20a may record as inspection result data 

202 all functions contained in a program to be inspected, or may record all 
resources accessed when a program to be inspected is executed. 

Mobile phone 50 is a communication terminal (receiving device) 
served by mobile packet communication network 40, and can download a 

20 program from content server 10a and execute it. 

Fig. 2 is a diagram illustrating a data structure of inspection result 
data 202. As shown in Fig. 2, inspection result data 202 contains the 
name of an inspected program, the name of a hash algorithm used for 
calculating a hash value of the program, and the calculated hash value. 

25 Inspection result data 202 also contains a list of the name of functions 
contained in the program and a list of information on resources accessed 
when the program is executed, which are obtained as a result of an analysis 
of the program using security evaluation list 201. The hash value 
contained in inspection result data 202 is used for verifying that the 
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program has not been changed or falsified after inspection by program 
inspection device 20a. 

Fig. 3 is a block diagram illustrating a hardware configuration of 
mobile phone 50. CPU 501 executes a variety of programs stored in 

5 ROM 502 and nonvolatile memory 507, and thereby controls components 
of mobile phone 50. ROM 502 stores programs for controlling mobile 
phone 50. RAM 503 is used as a work area of CPU 501. Wireless 
communication unit 504, under the control of CPU 501, controls wireless 
communication with a base station (not shown) of mobile packet 

10 communication network 40. Operation input unit 505 consists of a 
plurality of keys, and outputs an operation signal to CPU 501 in response to 
an operation of the keys. Liquid crystal display unit 506 consists of a 
liquid crystal display panel and a driving circuit for controlling a display of 
the liquid crystal display panel. 

15 Nonvolatile memory 507 stores software such as an operating 

system and a WWW (World Wide Web) browser for mobile phone 50. 
Nonvolatile memory 507 also stores programs downloaded from content 
server 10a and stores inspection result data 202 thereof. Nonvolatile 
memory further stores security management table 507a. 

20 Security management table 507a, as shown in Fig. 4, registers, 

among functions contained in programs for mobile phone 50, the names of 
functions permitted to be used when a program received via a network is 
executed, and the names of functions not permitted to be used when a 
program received via a network is executed. Security management table 

25 507a also registers, among resources accessible by mobile phone 50, 
information on resources permitted to be accessed when a program 
received via a network is executed, and information on resources not 
permitted to be accessed when a program received via a network is 
executed. As to a function and a resource which require asking a user 
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whether to execute a program, a term "user confirmation" is registered in 
the item "permission" column of security management table 507a. 

Nonvolatile memory 507 stores a plurality of security management 
tables 507a for each security level available in mobile phone 50 such as 
5 security management table 507a for "Level 1" or security management 
table 507a for "Level 2". In mobile phone 50, when it is determined 
whether to execute a program received via a network, security management 
table 507a corresponding to a security level presently set in mobile phone 
50 is used among the plurality of security management tables 507a. The 
10 security level is set by a user of mobile phone 50. 

Functions registered in security management table 507a and 
information on whether to permit uses of the functions may be changed by 
a user of mobile phone 50. This is the same for resources registered in 
security management table 507a and information on whether to permit 
1 5 access of the resources . 

Operations of the first embodiment will now be described below. 
Fig. 5 is a sequence chart illustrating operations of each component 
forming communication system 1, which are performed until a program 
and corresponding inspection result data 202 are downloaded to mobile 
20 phone 50. As shown in Fig. 5, a program for mobile phone 50 written by 
content provider 10 is sent along with an inspection request from content 
server 10a to program inspection device 20a (Step SlOl). 

Program inspection device 20a, upon receipt of the program and the 
inspection request, analyzes the received program (Step S102). Program 
25 inspection device 20a extracts from the program functions listed in security 
evaluation list 201, and identifies resources which are accessed if the 
program is executed, and which are listed in security evaluation list 201. 
Program inspection device 20a also calculates a hash value of the program 
using a hash algorithm. Program inspection device 20a then generates 
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inspection result data 202 containing the names of the extracted functions, 
the information on the identified resources, the calculated hash value, the 
name of the algorithm used, and the file name of the program (Step S 103). 
Subsequently, program inspection device 20a attaches an electronic 

5 signature to the generated inspection result data 202 (Step S104). This 
electronic signature is used for verifying in mobile phone 50 that the 
program has not been changed or falsified. After that, program inspection 
device 20a returns inspection result data 202 with the electronic signature 
to content server 10a (Step S105). Content server 10a, upon receipt of 

10 inspection result data 202, stores inspection result data 202 with the 
inspected program in a memory (Step S106), and renders the program and 
inspection result data 202 downloadable by mobile phone 50. 

In mobile phone 50, a security level is set (Step S107). In the 
setting of a security level, a screen shown in Fig. 6 is displayed on Uquid 

15 crystal display unit 506, and a user can select a security level of mobile 
phone 50 from "Level 0 (Nothing)" to "Level 5" using operation input unit 
505. The security level set by the user is stored in nonvolatile memory 
507. 

If mobile phone 50 downloads a program from content server 10a, a 
20 WWW browser is launched in mobile phone 50 (Step S108), and packet 
communications are started between mobile phone 50 and content server 
10a. When the user selects a program to be downloaded using operation 
input unit 505, a signal requesting download of the program is sent from 
mobile phone 50 to content server 10a (Step S109). Content server 10a 
25 reads the requested program and inspection result data 202 of the program 
from memory, and sends them to mobile phone 50 (Steps SI 10 and Sill) . 
Mobile phone 50, upon receipt of the program and inspection result data 
202, stores them in nonvolatile memory 507 (Step SI 12). 

Fig. 7 is a flowchart illustrating operations of determining whether 
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to execute a program received via a network, and which are carried out in 
mobile phone 50. The operations are carried out by CPU 501 if the 
execution of a program received via a network is instructed in mobile 
phone 50. As shown in Fig. 7, CPU 501 reads from nonvolatile memory 
5 207 inspection result data 202 of a program the execution of which has 
been instructed (Step S201). 

CPU 501 verifies an electronic signature of inspection result data 
202 (Step S202), and thereby confirms that inspection result data 202 has 
been generated by inspection institution 20, and that inspection result data 

10 202 is an authentic inspection result data which has not been falsified. If, 
as a result of the verification of the electronic signature, it is found that 
inspection result data 202 is not authentic (Step S203: NO), CPU 501 
cancels the execution of the program (Step S210), and causes liquid crystal 
display unit 506 to display a message stating that the execution of the 

15 program has been cancelled because falsification has been found in 
inspection result data 202. 

On the other hand, if inspection result data is verified to be 
authentic (Step S203: YES), CPU 501 calculates a hash value of the 
program using a hash algorithm described in inspection result data 202. 

20 CPU 501 compares the calculated hash value and a hash value described in 
inspection result data 202 (Step S204). As a result of the comparison, if 
the hash values do not match (Step S205: NO), CPU 501 cancels the 
execution of the program (Step S210), and causes liquid crystal display unit 
506 to display a message stating that execution of the program has been 

25 cancelled because falsification has been found in the program. 

On the other hand, if the hash values match (Step S205: YES), CPU 
501 identifies a value of a security level currently set in mobile phone 50, 
and reads from nonvolatile memory 507 security management table 507a 
corresponding to the identified value of the security level (Step S206). 
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CPU 501 compares the read security management table 507a and 
inspection result data 202 read in Step S201 (Step S207), and thereby 
determines whether to execute the program (Step S208). 

To explain the operations in Steps S207 and S208 specifically, CPU 
5 501, for each function described in inspection result data 202, namely for 
each function extracted from the program to be executed, determines 
whether the function is a function permitted to be used in security 
management table 507a. Similarly, CPU 501, for each resource described 
in inspection result data 202, determines whether the resource is a resource 

10 permitted to be accessed in security management table 507a. 

As a result, if any function that are not permitted to be used is 
contained in inspection result data 202, or if any resource not permitted to 
be accessed is contained in inspection result data 202, CPU 501 determines 
tihat the program violates the security policy (security management table 

15 507a) set by a user, and does not permit the execution of the program (Step 
S208: NO). Consequently, CPU 501 cancels the execution of the program 
(Step S210), and causes Uquid crystal display unit 506 to display a message 
as shown in Fig. 8. 

For example, assuming that inspection result data 202 is as shown 

20 in Fig. 2 and security management table 507a is as shown in Fig. 4, since 
inspection result data 202 contains a fimction "Function 1 ()" which is not 
permitted to be used according to security management table 507a, and a 
resource "Local/UserData/AddressBook" which is not permitted to be 
accessed according to security management table 507a, a program 

25 corresponding to inspection result data 202 is not permitted to be executed 
in mobile phone 50. 

On the other hand, if all of the functions described in inspection 
result data 202 are functions that are permitted to be used according to 
security management table 507a, and all resources described in inspection 
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result data 202 are resources permitted to be accessed according to security 
management table 507a, CPU 501 determines that the program meets the 
security policy set by the user, and permits the execution of the program 
(Step S208: YES). Consequently, CPU 501 reads the program permitted 

5 to be executed from nonvolatile memory 507, launches the program (Step 
S209), and proceeds with operations in accordance with the program. 

If inspection result data 202 contains a resource requiring a user 
confirmation as a resource "http://www.xxx.co.jp" in security management 
table 507a of Fig. 4, CPU 501 generates a message asking a user whether to 

10 execute a program, causes liquid crystal display unit 506 to display it, and 
determines the execution of the program in accordance with an instruction 
from operation input unit 505. 

As stated above, in the present embodiment, program inspection 
device 20a pre-inspects the content of a program provided to mobile phone 

15 50 via a network, and generates inspection result data 202 containing 
functions contained in the program and information on resources accessed 
when the program is executed. Mobile phone 50 compares inspection 
result data 202 and security management table 507a registering information 
on whether a function may be used for each function and information on 

20 wheliier a resource may be accessed for each resource, and thereby 
determines whether to execute the program received via the network. 
Accordingly, mobile phone 50, without analyzing the received program, 
only by comparing inspection result data 202 and security management 
table 507a, can determine whether the program meets the security policy 

25 (security management table 507a) set in mobile phone 50. Consequentiy, 
the determination process can be completed in mobile phone 50 by using a 
simple method and within a short time. 

Security management table 507a for determining whether to 
execute a received program can be changed easily by changing a security 
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level. Accordingly, even if a program violates a security policy and 
thereby is determined not permitted to be executed, if a user determines 
that the program is valid, the program can be executed in mobile phone by 
temporarily lowering the security level. As stated above, in the present 
5 embodiment, flexible setting of a security level of mobile phone 50 relative 
to a received program can be carried out in accordance with a user's 
wishes. 

[B. Second Embodiment] 
10 Below, the second embodiment of the present invention will be 

described. 

In the present embodiment, elements common to the first 
embodiment are denoted by like symbols, and descriptions common to the 
first embodiment will be omitted. 

15 Fig. 9 is a block diagram illustrating a hardware configuration of 

relay device 60 relaying packet conmiunications between content server 
10a and mobile phone 50. Relay device 60 may be provided on either of 
Internet 30 or mobile packet communication network 40. In Fig. 9, 
conmiunication interface 604, under the control of CPU 601, controls 

20 packet communication with content server 10a or mobile phone 50. 
Operation input unit 605 has a mouse and a keyboard, and outputs an 
operation signal to CPU 601 in accordance with operations carried out via 
the mouse and the keyboard. Display unit 606 is a LCD or CRT display. 

HD (Hard Disk) 607 stores security management table 507a 

25 explained in the first embodiment. Relay device 60 of the present 
embodiment, using security management table 507a, determines whether to 
relay a program sent from content server 10a to mobile phone 50. Relay 
device 60 receives, along with the program, inspection result data 202 of 
the program and destination information indicating the destination of the 
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program from content server 10a. Inspection result data 202 is generated 
by program inspection device 20a explained in the first embodiment. The 
address information is a communication address assigned to mobile phone 
50 such as an IP address. 
5 In the present embodiment, a security level in relay device 60 is set 

by a carrier of mobile packet communication network or an administrator 
of relay device 60. HD 607 stores different security management tables 
507a for each security level as described in the first embodiment, and in 
accordance with the security level set in relay device 60, security 
10 management table 507a for determining whether to relay a program is 
determined. 

Fig. 10 is a flowchart illustrating operations performed for 
determining whether to relay a program which are carried out in relay 
device 60. The operations are performed by CPU 601 if relay device 60 

15 receives a program and inspection result data 202 thereof transmitted from 
content server 10a to mobile phone 50. As shown in Fig. 10, CPU 601 
verifies an electronic signature of inspection result data 202 (Step S301). 
If upon verification of the electronic signature, it is confirmed that 
inspection result data 202 is not authentic (Step S302: NO), CPU 601 

20 cancels transfer of the program to mobile phone 50 (Step S309), and sends 
to mobile phone 50 a message stating that the download of the program has 
been cancelled because falsification has been found in inspection result 
data 202. 

On the other hand, if inspection result data is verified to be 
25 authentic (Step S302: YES), CPU 601 calculates a hash value of the 
program using a hash algorithm described in inspection result data 202, and 
compares the calculated hash value and a hash value described in 
inspection result data 202 (Step S303). If as a result of the comparison, it 
is determined that the hash values do not match (Step S304: NO), CPU 601 
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cancels transfer of the program to mobile phone 50 (Step S309), and sends 
to mobile phone 50 a message stating that download of the program has 
been cancelled because falsification has been found in the program. 

On the other hand, if the hash values match (Step S304: YES), CPU 
5 601 identifies a value of a security level set in relay device 60 at the time, 
and reads from HD 607 security management table 507a corresponding to 
the identified value of the security (Step S305). CPU 601 compares the 
read security management table 507a and the received inspection result 
data 202 (Step S306), and thereby determines whether to relay the program 

10 to mobile phone 50 (Step S307) . 

To explain the operations in Steps S306 and S307 specifically, CPU 
601, for each function described in inspection result data 202, namely for 
each function extracted from the received program, determines whether the 
function is a function permitted to be used according to security 

15 management table 507a. Similarly, CPU 601, for each resource described 
in inspection result data 202, determines whether the resource is a resource 
permitted to be accessed according to security management table 507a. 

As a result, if any functions that are not permitted to be used exist 
in inspection result data 202, or if any resources that are not permitted to be 

20 accessed exist in inspection result data 202, CPU 601 determines that the 
program violates the security policy (security management table 507a) set 
by, for example a carrier of mobile packet communication network 40, and 
does not permit relay of the program to mobile phone 50 (Step S307: NO). 
Consequently, CPU 601 cancels the transfer of the program (Step S309), 

25 and sends to mobile phone 50 a message stating that the download of the 
program has been cancelled. 

On the other hand, if all functions described in inspection result 
data 202 are functions permitted to be used according to security 
management table 507a, and all resources described in inspection result 
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data 202 are resources perinitted to be accessed according to security 
management table 507a, CPU 601 determines that the received program 
meets the security policy set by the carrier of mobile packet communication 
network 40, and permits the relay of the program to mobile phone 50 (Step 

5 S307: YES). Consequently, CPU 601 transfers the program to mobile 
phone 50 designated by the address information (Step S308). 

As stated above, in the present embodiment, program inspection 
device 20a pre-inspects the content of a program provided to mobile phone 
50 via a network, and generates inspection result data 202 containing 

10 functions contained in the program and information on resources accessed 
when the program is executed. Relay device 60 compares inspection 
result data 202 and security management table 507a registering information 
for each function on whether that function may be used and information on 
each resource on whether that resource may be accessed; and thereby 

15 determines whether to relay the program to mobile phone 50. 
Accordingly, relay device 60, without analyzing the program to be relayed, 
only by comparing inspection result data 202 and security management 
table 507a, can determine whether the program meets the security policy 
(security management table 507a) set in relay device 60. Consequently, 

20 the determination process can be completed in relay device 60 by using a 
simple method and within a short time, thereby avoiding any delay in 
communications. Also, since transfer of a program violating a security 
policy is cancelled, provision of such a program to mobile phone 50 is 
prevented. 

25 Functions registered in security management table 507a and 

information on which functions may be used can be changed by a carrier of 
mobile packet communication network 40 or by an administrator of relay 
device 60, This is the same for resources registered in security 
management table 507a and information on which resources may be 
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accessed. 

[C. Modifications] 

(1) In the first embodiment, inspection result data 202 is sent to mobile 
5 phone 50 along with a program. However, as shown in Fig. 11, there may 

be provided inspection result registering server 70 for registering inspection 
result data 202 of each program inspected in inspection institution 20. In 
this case, mobile phone 50, after downloading a program from content 
server 10b, obtains inspection result data 202 of the program from 

10 inspection result registering server 70. This is the same as in the second 
embodiment, namely, inspection result registering server 70 registers 
inspection result data 202 of each program, and relay device 60, if 
receiving a program to be transferred to mobile phone 50 from content 
server 10b, obtains inspection result data 202 of the program from 

15 inspection result registering server 70. Inspection result registering server 
70 may be provided either on mobile packet communication network 40 or 
in inspection institution 20. 

(2) In the first embodiment, when a determination in Step S208 of Fig. 
7 is negative, operations may be changed as shown in Fig. 12. 

20 Namely, CPU 501, if a determination in Step S208 of Fig. 7 is 

negative, causes liquid crystal display unit 506 to display, as shown in Fig. 
13, a message that a program to be executed violates a security policy, and 
a message confirming whether the program should be executed with 
available functions limited (Step S401). Responsive to these messages, a 

25 user instructs mobile phone 50 using operation input unit 505 to execute 
the program with available functions limited or to cancel execution of the 
program. The messages may be outputted as voice messages from mobile 
phone 50. 

CPU 501, if canceling execution of the program is instructed via 
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operation input unit 505 (Step S402: NO), cancels execution of the 
program (Step S403). On the other hand, if execution of the program is 
instructed via operation input unit 505 (Step S402: YES), CPU 501 reads 
the program from nonvolatile memory 507 and launches it (Step S404). 
5 After that, CPU 501 determines whether the running program has been 
terminated (Step S405), and until termination of the running program, 
limits functions available in the program in accordance with security 
management table 507a (Step S406). Security management table 507a for 
limiting available functions corresponds to a security level set in mobile 
10 phone 50 at that time. 

To explain the operations in Step S406 specifically, if CPU 501 
identifies a function such as a function call and a system call when 
sequentially interpreting and running the program, CPU 501 determines 
whether the function is a function permitted to be used according to 
15 security management table 507a. If the function is a function permitted to 
be used, CPU 501 permits the use of the function and continues the running 
of the program. On the other hand, if the function is a function not 
permitted to be used, CPU 501 does not permit the use of the function and 
suspends the running of the program. 
20 Also, CPU 501 monitors an access request to a resource occurring 

when sequentially interpreting and running the program, and determines 
whether the resource for the access request is a resource permitted to be 
accessed according to security management table 507a. If the resource is 
a resource permitted to be accessed, CPU 501 permits an access to the 
25 resource and continues the running of the program. On the other hand, if 
the resource is a resource not permitted to be accessed, CPU 501 does not 
permit an access to the resource and suspends the running of the program. 

According to the configuration stated above, mobile phone 50 can 
execute even a program violating a security policy by limiting available 
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functions of the program. 

(3) Security management table 507a may register only functions 
permitted to be used and those not permitted to be used; while security 
management table 507a may register only information on resources 

5 permitted to be accessed and tihose not permitted to be accessed. Further, 
security management table 507a may register only functions permitted to 
be used or only functions not permitted to be used; while security 
management table 507a may register only resources permitted to be 
accessed or only resources not permitted to be accessed. 

10 (4) In the second embodiment, HD 607 of relay device 60 may register 
for each mobile phone 50 a security level set by a user of mobile phone 50. 
In this case, relay device 60 may identify a security level of mobile phone 
50 to which a program is to be transferred, and determine whether to relay 
the program using security management table 507a corresponding to the 

15 security level. 

(5) In the first embodiment, nonvolatile memory 507 of mobile phone 
50 may store a security management table for a program to which 
inspection result data 202 has not been attached. Also, nonvolatile 
memory 507, if there are a plurality of inspection institutions similar to 

20 inspection institution 20, may store a security management table for a 
program to which inspection result data generated in an inspection 
institution other than inspection institution 20 has been attached. This is 
the as same in the second embodiment; namely, HD 607 may store a 
security management table for a program to which inspection result data 

25 202 has not been attached, or a security management table for a program to 
which inspection result data generated in an inspection institution other 
than inspection institution 20 has been attached. 

(6) In the first embodiment, inspection result data 202 may further 
contain provider identification information for identifying a provider of a 
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program such as the name of a content provider or a URL of a program 
sending source; and nonvolatile memory 507 of mobile phone 50 may store 
different security management tables 507a for each provider identification 
information. In this case, mobile phone 50 may determine whether to 

5 execute a received program using security management table 507a 
corresponding to a provider identification information contained in 
received inspection result data 202. This is the same in the second 
embodiment, namely, inspection result data 202 may further contain a 
provider identification information, HD 607 of relay device 60 may store 

10 different security management tables 507a for each provider identification 
information; and relay device 60 may determine whether to relay a received 
program using security management table 507a corresponding to a provider 
identification information contained in received inspection result data 202. 
(7) In the first embodiment, mobile phone 50, on completion of 

15 downloading a program, may determine whether the program meets a 
security policy (security management table 507a) by comparing inspection 
result data 202 of the program and security management table 507a, and 
cause liquid crystal display unit 506 to display the determination result. 
The determination result may be outputted as voice messages from mobile 

20 phone 50. Also, mobile phone 50, when instructed by a user using 
operation input unit 505 to check the safety of a received program, may 
determine whether the program meets a security poUcy by comparing 
inspection result data 202 of the program and security management table 
507a, and output the determination result. 

25 In the cases stated above where a determination is made not as to 

whether program should be executed but as to whether the program meets a 
security policy, and the determination result is reported to a user, the user, 
on the basis of the reported determination result, deletes (uninstalls) the 
program from nonvolatile memory 507 or avoids execution of the program. 
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which consequently maintains the security of mobile phone 50. In this 
case, if the program violates the security policy, the names of functions not 
permitted to be used and information on resources not permitted to be 
accessed, which are contained in the program, may be reported to the user 
5 along with the determination result. Alternatively, if the program violates 
the security policy, mobile phone 50 may cause liquid crystal display unit 
506 to display a message confirming whether to delete the program, and if 
instructed by use of operation input unit 505 to delete the program, will 
uninstall the program from nonvolatile memory 507. 
10 In the second embodiment, relay device 60, when transferring a 

program to mobile phone 50, may determine whether the program meets a 
security policy (security management table 507a) by comparing inspection 
result data 202 of the program and security management table 507a, and 
send the determination data to mobile phone 50 along with the program. 
15 (8) In the first embodiment, mobile phone 50, before downloading a 
program from content server 10a, may download only inspection result data 
202 of the program from content server 10a. In this case, mobile phone 
50 compares received inspection result data 202 and security management 
table 507a, and thereby determines whether the program to be downloaded 
20 meets a security policy (security management table 507a). As a result of 
the determination, if the program meets the security policy, mobile phone 
50 downloads the program from content server 10a. On the other hand, if 
the program violates the security poHcy, mobile phone 50 cancels 
download of the program. According to this configuration, if a program 
25 to be downloaded violates a security policy, downloading the program is 
prevented, and consequently unnecessary packet communications can be 
avoided. 

(9) In the first and second embodiment, a program may be distributed 
to mobile phone 50 instead of being downloaded. A receiving device 
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according to the present invention may be applied to a wireless terminal 
communicating via a public wireless LAN or a personal computer 
communicating via the Internet. A relay device according to the present 
invention may be applied to a gateway server, a proxy server, or a 
5 switching center or a base station provided on mobile packet 
communication network 40. A program for causing a computer such as 
mobile phone 50 or relay device 60 to execute processes according to the 
present invention may be installed in a computer via a network, or may be 
stored in a variety of computer-readable storage media for distribution. 



